<!DOCTYPE html>
<html lang="zh-CN">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width,initial-scale=1">
    <title>js之安全问题：Cookie、CSRF和XSS | 掏钱的机器猫</title>
    <meta name="generator" content="VuePress 1.9.7">
    <link rel="icon" href="/vue-admin-ui/assets/logo.png">
    <meta name="description" content="掏钱的机器猫的个人博客,记录随笔与学习笔记，个人项目等">
    <meta name="viewport" content="width=device-width,initial-scale=1,user-scalable=no">
    
    <link rel="preload" href="/vue-admin-ui/assets/css/0.styles.fb55c927.css" as="style"><link rel="preload" href="/vue-admin-ui/assets/js/app.21d1badc.js" as="script"><link rel="preload" href="/vue-admin-ui/assets/js/3.d02ddc64.js" as="script"><link rel="preload" href="/vue-admin-ui/assets/js/1.38c8ef5a.js" as="script"><link rel="preload" href="/vue-admin-ui/assets/js/13.3dde5c1a.js" as="script"><link rel="prefetch" href="/vue-admin-ui/assets/js/10.d9a14dc0.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/11.284df538.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/12.530bdb86.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/14.e18000c4.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/15.65b98979.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/16.953b2589.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/17.d6be13fa.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/18.a10ec5a3.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/19.f2ef083a.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/20.9e024a1a.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/21.b818c6cd.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/22.f3716a62.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/23.42bfb2a3.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/24.0382e6dc.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/25.9b1cf793.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/26.626abbca.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/27.d6b1a7e8.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/28.7381bce0.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/29.65b69672.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/30.70062600.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/31.036bec0e.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/32.1ec26c99.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/33.69485516.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/34.30a7370c.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/35.1e72f74a.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/36.a6aaafe3.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/4.984f5e20.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/5.2cbf0f84.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/6.eab8daa0.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/7.41bb2a3c.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/8.79ebffb7.js"><link rel="prefetch" href="/vue-admin-ui/assets/js/9.e9ae19e3.js">
    <link rel="stylesheet" href="/vue-admin-ui/assets/css/0.styles.fb55c927.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container" data-v-2d5f533b><div data-v-2d5f533b><div id="loader-wrapper" class="loading-wrapper" data-v-d48f4d20 data-v-2d5f533b data-v-2d5f533b><div class="loader-main" data-v-d48f4d20><div data-v-d48f4d20></div><div data-v-d48f4d20></div><div data-v-d48f4d20></div><div data-v-d48f4d20></div></div> <!----> <!----></div> <div class="password-shadow password-wrapper-out" style="display:none;" data-v-64685f0e data-v-2d5f533b data-v-2d5f533b><h3 class="title" style="display:none;" data-v-64685f0e data-v-64685f0e>掏钱的机器猫</h3> <!----> <label id="box" class="inputBox" style="display:none;" data-v-64685f0e data-v-64685f0e><input type="password" value="" data-v-64685f0e> <span data-v-64685f0e>Konck! Knock!</span> <button data-v-64685f0e>OK</button></label> <div class="footer" style="display:none;" data-v-64685f0e data-v-64685f0e><span data-v-64685f0e><i class="iconfont reco-theme" data-v-64685f0e></i> <a target="blank" href="https://vuepress-theme-reco.recoluan.com" data-v-64685f0e>vuePress-theme-reco</a></span> <span data-v-64685f0e><i class="iconfont reco-copyright" data-v-64685f0e></i> <a data-v-64685f0e><span data-v-64685f0e>Ethan</span>
              
            <span data-v-64685f0e>2018 - </span>
            2022
          </a></span></div></div> <div class="hide" data-v-2d5f533b><header class="navbar" data-v-2d5f533b><div class="sidebar-button"><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" role="img" viewBox="0 0 448 512" class="icon"><path fill="currentColor" d="M436 124H12c-6.627 0-12-5.373-12-12V80c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12z"></path></svg></div> <a href="/vue-admin-ui/" class="home-link router-link-active"><img src="/vue-admin-ui/assets/logo.png" alt="掏钱的机器猫" class="logo"> <span class="site-name">掏钱的机器猫</span></a> <div class="links"><div class="color-picker"><a class="color-button"><i class="iconfont reco-color"></i></a> <div class="color-picker-menu" style="display:none;"><div class="mode-options"><h4 class="title">Choose mode</h4> <ul class="color-mode-options"><li class="dark">dark</li><li class="auto active">auto</li><li class="light">light</li></ul></div></div></div> <div class="search-box"><i class="iconfont reco-search"></i> <input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><div class="nav-item"><div class="dropdown-wrapper"><a class="dropdown-title"><span class="title"><i class="iconfont reco-document"></i>
        插件文档
      </span> <span class="arrow right"></span></a> <ul class="nav-dropdown" style="display:none;"><li class="dropdown-item"><!----> <a href="/vue-admin-ui/category/vue-admin-ui-lib/" class="nav-link"><i class="iconfont undefined"></i>
    vue-admin-ui-lib
  </a></li><li class="dropdown-item"><!----> <a href="/vue-admin-ui/category/submit-valid/" class="nav-link"><i class="iconfont undefined"></i>
    submit-valid
  </a></li><li class="dropdown-item"><!----> <a href="/vue-admin-ui/category/open-utils/" class="nav-link"><i class="iconfont undefined"></i>
    open-utils
  </a></li></ul></div></div><div class="nav-item"><a href="/vue-admin-ui/handle/handle/method.html" class="nav-link"><i class="iconfont undefined"></i>
    手写代码
  </a></div><div class="nav-item"><div class="dropdown-wrapper"><a class="dropdown-title"><span class="title"><i class="iconfont reco-message"></i>
        个人站点
      </span> <span class="arrow right"></span></a> <ul class="nav-dropdown" style="display:none;"><li class="dropdown-item"><!----> <a href="https://gitee.com/ethan6" target="_blank" rel="noopener noreferrer" class="nav-link external"><i class="iconfont reco-mayun"></i>
    Gitee
    <span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li><li class="dropdown-item"><!----> <a href="https://github.com/Ethan66" target="_blank" rel="noopener noreferrer" class="nav-link external"><i class="iconfont reco-github"></i>
    Github
    <span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li></ul></div></div> <a href="https://github.com/Ethan66/vue-admin-ui" target="_blank" rel="noopener noreferrer" class="repo-link"><i class="iconfont reco-github"></i>
      Github
      <span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></nav></div></header> <div class="sidebar-mask" data-v-2d5f533b></div> <aside class="sidebar" data-v-2d5f533b><div class="personal-info-wrapper" data-v-ca798c94 data-v-2d5f533b><img src="/vue-admin-ui/assets/logo.png" alt="author-avatar" class="personal-img" data-v-ca798c94> <h3 class="name" data-v-ca798c94>
    Ethan
  </h3> <div class="num" data-v-ca798c94><div data-v-ca798c94><h3 data-v-ca798c94>24</h3> <h6 data-v-ca798c94>文章</h6></div> <div data-v-ca798c94><h3 data-v-ca798c94>11</h3> <h6 data-v-ca798c94>标签</h6></div></div> <hr data-v-ca798c94></div> <nav class="nav-links"><div class="nav-item"><div class="dropdown-wrapper"><a class="dropdown-title"><span class="title"><i class="iconfont reco-document"></i>
        插件文档
      </span> <span class="arrow right"></span></a> <ul class="nav-dropdown" style="display:none;"><li class="dropdown-item"><!----> <a href="/vue-admin-ui/category/vue-admin-ui-lib/" class="nav-link"><i class="iconfont undefined"></i>
    vue-admin-ui-lib
  </a></li><li class="dropdown-item"><!----> <a href="/vue-admin-ui/category/submit-valid/" class="nav-link"><i class="iconfont undefined"></i>
    submit-valid
  </a></li><li class="dropdown-item"><!----> <a href="/vue-admin-ui/category/open-utils/" class="nav-link"><i class="iconfont undefined"></i>
    open-utils
  </a></li></ul></div></div><div class="nav-item"><a href="/vue-admin-ui/handle/handle/method.html" class="nav-link"><i class="iconfont undefined"></i>
    手写代码
  </a></div><div class="nav-item"><div class="dropdown-wrapper"><a class="dropdown-title"><span class="title"><i class="iconfont reco-message"></i>
        个人站点
      </span> <span class="arrow right"></span></a> <ul class="nav-dropdown" style="display:none;"><li class="dropdown-item"><!----> <a href="https://gitee.com/ethan6" target="_blank" rel="noopener noreferrer" class="nav-link external"><i class="iconfont reco-mayun"></i>
    Gitee
    <span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li><li class="dropdown-item"><!----> <a href="https://github.com/Ethan66" target="_blank" rel="noopener noreferrer" class="nav-link external"><i class="iconfont reco-github"></i>
    Github
    <span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li></ul></div></div> <a href="https://github.com/Ethan66/vue-admin-ui" target="_blank" rel="noopener noreferrer" class="repo-link"><i class="iconfont reco-github"></i>
      Github
      <span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></nav> <ul class="sidebar-links"><li><section class="sidebar-group depth-0"><p class="sidebar-heading open"><span></span> <!----></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/vue-admin-ui/article/browser/browser.html" class="sidebar-link">浏览器渲染机制</a></li><li><a href="/vue-admin-ui/article/browser/CSRF,XSS.html" aria-current="page" class="active sidebar-link">js之安全问题：Cookie、CSRF和XSS</a></li><li><a href="/vue-admin-ui/article/browser/css.html" class="sidebar-link">css</a></li><li><a href="/vue-admin-ui/article/browser/Dom.html" class="sidebar-link">DOM</a></li><li><a href="/vue-admin-ui/article/browser/html5.html" class="sidebar-link">html5</a></li><li><a href="/vue-admin-ui/article/browser/performanceOptimize.html" class="sidebar-link">js之页面性能优化</a></li></ul></section></li></ul> </aside> <div class="password-shadow password-wrapper-in" style="display:none;" data-v-64685f0e data-v-2d5f533b><h3 class="title" style="display:none;" data-v-64685f0e data-v-64685f0e>js之安全问题：Cookie、CSRF和XSS</h3> <!----> <label id="box" class="inputBox" style="display:none;" data-v-64685f0e data-v-64685f0e><input type="password" value="" data-v-64685f0e> <span data-v-64685f0e>Konck! Knock!</span> <button data-v-64685f0e>OK</button></label> <div class="footer" style="display:none;" data-v-64685f0e data-v-64685f0e><span data-v-64685f0e><i class="iconfont reco-theme" data-v-64685f0e></i> <a target="blank" href="https://vuepress-theme-reco.recoluan.com" data-v-64685f0e>vuePress-theme-reco</a></span> <span data-v-64685f0e><i class="iconfont reco-copyright" data-v-64685f0e></i> <a data-v-64685f0e><span data-v-64685f0e>Ethan</span>
              
            <span data-v-64685f0e>2018 - </span>
            2022
          </a></span></div></div> <div data-v-2d5f533b><main class="page"><div class="page-title" style="display:none;"><h1 class="title">js之安全问题：Cookie、CSRF和XSS</h1> <div data-v-3b7f5bdf><i class="iconfont reco-account" data-v-3b7f5bdf><span data-v-3b7f5bdf>Ethan</span></i> <i class="iconfont reco-date" data-v-3b7f5bdf><span data-v-3b7f5bdf>2020-10-23</span></i> <!----> <i class="iconfont reco-tag tags" data-v-3b7f5bdf><span class="tag-item" data-v-3b7f5bdf>性能安全</span></i></div></div> <div class="theme-reco-content content__default" style="display:none;"><p><img src="https://drscdn.500px.org/photo/308889393/q%3D80_m%3D1500/v2?webp=true&amp;sig=48952e772b3844825d60ffd0aa79a676f7de2efefda9c57e7985709aeb59ea82" alt=""></p> <h1 id="js之安全问题-cookie、csrf和xss"><a href="#js之安全问题-cookie、csrf和xss" class="header-anchor">#</a> js之安全问题：Cookie、CSRF和XSS</h1> <h2 id="cookie安全性问题"><a href="#cookie安全性问题" class="header-anchor">#</a> Cookie安全性问题</h2> <h3 id="作用"><a href="#作用" class="header-anchor">#</a> 作用</h3> <blockquote><ul><li>http是无状态的协议。客户端与服务端建立连接传输数据，数据传输完毕就断开连接，下次请求再创建新的链接，所以请求的时候服务器根本不知道是不是同一个用户进行请求。cookie就是为了解决http无状态问题，服务器发送登录凭据Cookie给客户端，用户再次访问的时候就会发送服务器，服务器再进行比对，确认无误就会免密码操作。</li> <li>每次都会携带在 header 中，对于请求性能影响。</li> <li>cookie大小限制是4k，是每个name=value的value的值大概是4k</li></ul></blockquote> <h3 id="如何使用"><a href="#如何使用" class="header-anchor">#</a> 如何使用</h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>document.cookie = 'username=Ethan'
document.cookie = 'age=18'
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><h3 id="生命周期"><a href="#生命周期" class="header-anchor">#</a> 生命周期</h3> <blockquote><p>创建cookie的时候，会给cookie指定一个值：Expire，它就是指定cookie的有效期，也就是cookie的生命周期，超出设置的这个生命周期，cookie就会被清除。如果给这个值Expire设置为0或者负值，那么这样的设置就是在关闭浏览器时，就会清除cookie，这种方式更加安全。</p></blockquote> <h3 id="作用域"><a href="#作用域" class="header-anchor">#</a> 作用域</h3> <blockquote><p>支持同源策略</p></blockquote> <h3 id="为什么不安全"><a href="#为什么不安全" class="header-anchor">#</a> 为什么不安全</h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>0、每次请求都会带上cookie，浪费资源
1、最大的原因是因为它存储在浏览器端（用户本地），能够通过浏览器截获cookie（脚本、利用工具抓取等）。
2、cookie以纯文本的形式在浏览器和服务器之间传递，在web通信时极容易被非法用户截获和利用。
3、Flash中有一个getURL()函数，Flash利用它自动打开指定的页面。你在观看Flash动画时，在Flash的内部可以打开一个极小的包含特殊操作的页面，可以向远端输入当前cookie或者用户信息，由于这个是Flash内部的操作，所以网站无法禁止，要想避免，尽量打开本地防火墙以及访问正规网站。
非法用户截获cookie后，在cookie的有效时间内重新发放给服务器，那么这个非法用户就拥有了这个合法用户的所有权限。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><h2 id="indexeddb"><a href="#indexeddb" class="header-anchor">#</a> IndexedDB</h2> <blockquote><p>用于客户端存储大量结构化数据(包括文件和blobs)。没有存储上限的（一般来说不会小于 250M）。IndexedDB 是异步的。异步设计是为了防止大量数据的读写，拖慢网页的表现。会一直存在浏览器中，除非被清理。</p></blockquote> <div class="language- line-numbers-mode"><pre class="language-text"><code>IndexedDB不是常用的调用方法，而是请求响应的模式。
function openDB(name){
var request=window.indexedDB.open(name)//建立打开IndexedDB
request.onerror=function (e){
console.log('open indexdb error')
}
request.onsuccess=function (e){
myDB.db=e.target.result//这是一个 IDBDatabase对象，这就是IndexedDB对象
console.log(myDB.db)//此处就可以获取到db实例
}
}
var myDB={
name:'testDB',
version:'1',
db:null
}
openDB(myDB.name)
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br></div></div><h2 id="sessionstorage和localstorage和cookie的区别"><a href="#sessionstorage和localstorage和cookie的区别" class="header-anchor">#</a> sessionStorage和localStorage和cookie的区别</h2> <div class="language- line-numbers-mode"><pre class="language-text"><code>作用域：localStorage只要在相同的协议、相同的主机名、相同的端口下，就能读取/修改到同一份localStorage数据。sessionStorage比localStorage更严苛一点，除了协议、主机名、端口外，还要求在同一窗口（也就是浏览器的标签页）下

生命周期：localStorage 是持久化的本地存储，存储在其中的数据是永远不会过期的，使其消失的唯一办法是手动删除；而 sessionStorage 是临时性的本地存储，它是会话级别的存储，当会话结束（页面被关闭）时，存储内容也随之被释放。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><h3 id="如何解决"><a href="#如何解决" class="header-anchor">#</a> 如何解决</h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>1、设置cookie有效期不要过长
2、设置HttpOnly属性为true（防止js脚本读取cookie信息，有效的防止XSS攻击）
3、用户第一次登录时，保存ip+cookie加密后的token。每次请求，都去将当前cookie和ip组合起来加密后的token与保存的token作对比，只有完全对应才能验证成功。
4、如果网站支持https，那么可以为cookie设置Secure属性为true，它的意思是，cookie只能使用https协议发送给服务器，而https比http更加安全。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><h2 id="csrf的安全性问题"><a href="#csrf的安全性问题" class="header-anchor">#</a> CSRF的安全性问题</h2> <h3 id="概念及原理"><a href="#概念及原理" class="header-anchor">#</a> 概念及原理</h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>全称：跨站请求伪造。
概念：攻击者盗用了你的身份，伪装成你发送恶意请求。
攻击原理：
1、用户C访问正常网站A时进行登录，浏览器保存A的cookie
2、用户C再访问攻击网站B，网站B上有某个隐藏的链接或者图片标签会自动请求网站A的URL地址,例如表单提交，传指定的参数
如：&lt;img src=”http://bank.example/withdraw?account=bob&amp;amount=1000000&amp;for=黑客 /&gt;
3、而攻击网站B在访问网站A的时候，浏览器会自动带上网站A的cookie
4、所以网站A在接收到请求之后可判断当前用户是登录状态，所以根据用户的权限做具体的操作逻辑，造成伪造成功
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><h3 id="防范措施"><a href="#防范措施" class="header-anchor">#</a> 防范措施</h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>1、验证HTTP Referer字段
根据 HTTP 协议，在 HTTP 头中有一个字段叫 Referer，它记录了该 HTTP 请求的来源地址。也就是说，服务器会验证客户端的请求来源，如果本网站请求的则响应，否则不响应。
缺点：1.每个浏览器对于 Referer 的具体实现可能有差别，并不能保证浏览器自身没有安全漏洞。对于某些浏览器，比如 IE6 或 FF2，目前已经有一些方法可以篡改 Referer 值。2.用户自己可以设置浏览器使其在发送请求时不再提供 Referer

2、在HTTP 头中自定义属性并验证
在HTTP的head中放入token，在用户登陆后产生token放于session或cookie中，然后在每次请求时服务器把token从session或cookie中拿出，与本次请求中的token 进行比对。由于token的存在，攻击者无法再构造出一个完整的URL实施CSRF攻击。但在处理多个页面共存问题时，当某个页面消耗掉token后，其他页面的表单保存的还是被消耗掉的那个token，其他页面的表单提交时会出现token错误。

3、验证码
应用程序和用户进行交互过程中，特别是账户交易这种核心步骤，强制用户输入验证码，才能完成最终请求。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><h2 id="xss的安全问题"><a href="#xss的安全问题" class="header-anchor">#</a> XSS的安全问题</h2> <h3 id="概念及原理-2"><a href="#概念及原理-2" class="header-anchor">#</a> 概念及原理</h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>1、全称
跨域脚本攻击

2、XSS攻击的核心原理是
不需要你做任何的登录认证，它会通过合法的操作（比如在url中输入、在评论框中输入），向你的页面注入脚本（可能是js、hmtl代码块等）。

3、攻击方式
1、反射型：XSS代码出现在url，referer 中注入可执行脚本代码（https://xxx.com/xxx?default=&lt;script&gt;alert(document.cookie)&lt;/script&gt;），通过用户点击操作，通过 HTTP 的 GET 和 POST 请求就能完成一次攻击，拿到用户隐私数据。
2、存储型：存储型XSS和反射型XSS的差别在于，一般存在于 Form 表单提交等交互功能，将提交的代码会存储在服务器端（数据库、内存、文件系统等），当前端页面获得后端从数据库中读出的注入代码时，恰好将其渲染执行。
满足条件：POST 请求提交表单后端没做转义直接入库。后端从数据库中取出数据没做转义直接输出给前端。前端拿到后端数据没做转义直接渲染成 DOM。

4、攻击的结果
盗用Cookie，破坏页面的正常结构，插入广告等恶意内容
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br></div></div><h3 id="xss的防范措施"><a href="#xss的防范措施" class="header-anchor">#</a> XSS的防范措施</h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>// 反射型
1、Web 页面渲染的所有内容或者渲染的数据都必须来自于服务端。
2、尽量不要从 URL，document.referrer，document.forms 等这种 DOM API 中获取数据直接渲染。
3、尽量不要使用 eval, new Function()等可执行字符串的方法。

// 存储型
1、编码
对用户输入的数据进行HTML Entity编码。比如&lt;script&gt;alert(1)&lt;/script&gt;，若不进行任何处理，则浏览器会执行alert的js操作，实现XSS注入。进行编码处理之后，L在浏览器中的显示结果就是&lt;script&gt;alert(1)&lt;/script&gt;，实现了将$var作为纯文本进行输出。
2、过滤
移除用户输入的和事件相关的属性。如onerror可以自动触发攻击，还有onclick等。（总而言是，过滤掉一些不安全的内容）
移除用户输入的Style节点、Script节点、Iframe节点。（尤其是Script节点，它可是支持跨域的呀，一定要移除）。
3、校正
避免直接对HTML Entity进行解码，使用DOM Parse转换，校正不配对的DOM标签。
DOM Parse的作用是把文本解析成DOM结构。

// CSP方式
CSP 本质上就是建立白名单，开发者明确告诉浏览器哪些外部资源可以加载和执行。我们只需要配置规则，如何拦截是由浏览器自己实现的。我们可以通过这种方式来尽量减少 XSS 攻击。
设置 HTTP Header 中的 Content-Security-Policy：
Content-Security-Policy: default-src 'self' // 只允许加载本站资源
Content-Security-Policy: img-src https://* // 只允许加载 HTTPS 协议图片
Content-Security-Policy: child-src 'none' // 允许加载任何来源框架
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br></div></div><h2 id="csrf和xss的区别"><a href="#csrf和xss的区别" class="header-anchor">#</a> CSRF和XSS的区别</h2> <p>CSRF：1、需要用户先登录网站A，获取 cookie。2、是利用网站A本身的漏洞，去请求网站A的api。
XSS：1、不需要登录。2、是向网站 A 注入 JS代码，然后执行 JS 里的代码，篡改网站A的内容。</p></div> <footer class="page-edit" style="display:none;"><!----> <div class="last-updated"><span class="prefix">上次更新: </span> <span class="time">2022/7/8 上午10:51:20</span></div></footer> <!----> <!----> <!----></main> <!----></div></div></div></div><div class="global-ui"><div class="back-to-ceiling" style="right:1rem;bottom:6rem;width:2.5rem;height:2.5rem;border-radius:.25rem;line-height:2.5rem;display:none;" data-v-c6073ba8 data-v-c6073ba8><svg t="1574745035067" viewBox="0 0 1024 1024" version="1.1" xmlns="http://www.w3.org/2000/svg" p-id="5404" class="icon" data-v-c6073ba8><path d="M526.60727968 10.90185116a27.675 27.675 0 0 0-29.21455937 0c-131.36607665 82.28402758-218.69155461 228.01873535-218.69155402 394.07834331a462.20625001 462.20625001 0 0 0 5.36959153 69.94390903c1.00431239 6.55289093-0.34802892 13.13561351-3.76865779 18.80351572-32.63518765 54.11355614-51.75690182 118.55860487-51.7569018 187.94566865a371.06718723 371.06718723 0 0 0 11.50484808 91.98906777c6.53300375 25.50556257 41.68394495 28.14064038 52.69160883 4.22606766 17.37162448-37.73630017 42.14135425-72.50938081 72.80769204-103.21549295 2.18761121 3.04276886 4.15646224 6.24463696 6.40373557 9.22774369a1871.4375 1871.4375 0 0 0 140.04691725 5.34970492 1866.36093723 1866.36093723 0 0 0 140.04691723-5.34970492c2.24727335-2.98310674 4.21612437-6.18497483 6.3937923-9.2178004 30.66633723 30.70611158 55.4360664 65.4791928 72.80769147 103.21549355 11.00766384 23.91457269 46.15860503 21.27949489 52.69160879-4.22606768a371.15156223 371.15156223 0 0 0 11.514792-91.99901164c0-69.36717486-19.13165746-133.82216804-51.75690182-187.92578088-3.42062944-5.66790279-4.76302748-12.26056868-3.76865837-18.80351632a462.20625001 462.20625001 0 0 0 5.36959269-69.943909c-0.00994388-166.08943902-87.32547796-311.81420293-218.6915546-394.09823051zM605.93803103 357.87693858a93.93749974 93.93749974 0 1 1-187.89594924 6.1e-7 93.93749974 93.93749974 0 0 1 187.89594924-6.1e-7z" p-id="5405" data-v-c6073ba8></path><path d="M429.50777625 765.63860547C429.50777625 803.39355007 466.44236686 1000.39046097 512.00932183 1000.39046097c45.56695499 0 82.4922232-197.00623328 82.5015456-234.7518555 0-37.75494459-36.9345906-68.35043303-82.4922232-68.34111062-45.57627738-0.00932239-82.52019037 30.59548842-82.51086798 68.34111062z" p-id="5406" data-v-c6073ba8></path></svg></div></div></div>
    <script src="/vue-admin-ui/assets/js/app.21d1badc.js" defer></script><script src="/vue-admin-ui/assets/js/3.d02ddc64.js" defer></script><script src="/vue-admin-ui/assets/js/1.38c8ef5a.js" defer></script><script src="/vue-admin-ui/assets/js/13.3dde5c1a.js" defer></script>
  </body>
</html>
